V  Views 


Policy  for  US  Cybersecurity 

Lt  Col  August  G.  Roesener,  PhD,  USAF 
Maj  Carl  Bottolfson,  USAF 
CDR  Gerry  Fernandez,  USN 

Since  creation  of  the  first  interconnected  computer  network  in 
1969  as  an  Advanced  Research  Projects  Agency  endeavor,  cyber¬ 
space  has  expanded  to  affect  many,  if  not  most,  aspects  of  Ameri¬ 
cans’  lives.  Unfortunately,  accessibility  to  and  expansion  of  the  Inter¬ 
net  often  proceeded  without  proper  consideration  for  the  security  of 
the  information  contained  or  transmitted  therein.  The  lack  of  neces¬ 
sary  security  and  the  anonymity  afforded  by  the  Internet  led  to 
equally  rapid  growth  (if  not  more  so)  of  the  nefarious  exploitation  of 
this  man-made  domain.  Regrettably,  it  is  unlikely  that  “the  United 
States  can  protect  itself  from  the  growing  threat  of  cybercrime  and 
state-sponsored  intrusions  and  operations.”1  However,  this  prospect 
should  not  limit  attempts  by  the  United  States  to  defend  its  cyberspace 
infrastructure,  “whether  the  threat  comes  from  terrorists,  cybercriminals, 
or  states  and  their  proxies.”2  Consequently,  America  must  develop  of¬ 
fensive  and  defensive  cyber  capabilities.  Additionally,  clearly  defined 
policies  require  development  and  implementation  to  ensure  cohesion 
across  the  whole  of  government.  With  respect  to  cyber  domain  attacks 
on  US  civilian  systems  attributable  to  a  nation-state,  the  Department  of 
Homeland  Security  (DHS)  should  have  responsibility  for  responding 
(in  the  form  of  consequence  management);  US  Northern  Command 
(USNORTHCOM),  for  domestic  attack  assessment;  and  US  Cyber  Com¬ 
mand  (USCYBERCOM),  for  defense  and  any  counterstrike  response  (in 
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coordination  with  applicable  combatant  commands  and  US  national 
agencies).  This  article  describes  the  cyberspace  environment  and  its 
threats;  explains  the  current  authorities,  roles,  and  responsibilities  of 
these  and  other  agencies;  and  details  how  these  authorities,  roles,  and 
responsibilities  need  modification  to  best  protect  US  national  security 
interests. 


The  Environment 

Cyberspace  is  "the  globally-interconnected  digital  information  and 
communications  infrastructure.”3  From  smartphones  with  navigation 
systems,  to  online  banking,  to  global  communications,  cyberspace  is 
an  essential  portion  of  most  Americans'  lives.  The  US  Department  of 
Defense  (DOD)  recently  decided  to  "treat  cyberspace  as  an  operational 
domain.”4  Because  of  the  ease  and  relatively  low  cost  of  conducting  op¬ 
erations  in  cyberspace  (compared  to  the  physical  domains  of  air,  land, 
sea,  and  space)  as  well  as  the  anonymity  afforded  by  this  virtual  do¬ 
main,  cyber  threats  and  attacks  are  more  prevalent  and  arguably  just 
as  dangerous  as  those  in  the  physical  domains.  In  fact,  the  2010  Na¬ 
tional  Security  Strategy  noted  that  "cybersecurity  threats  represent  one 
of  the  most  serious  national  security,  public  safety,  and  economic 
challenges  we  face  as  a  nation.”5  This  statement  is  particularly  trou¬ 
bling  because  "foreign  cyberspace  operations  against  U.S.  public  and 
private  sector  systems  are  increasing  in  number  and  sophistication. 
DoD  networks  are  probed  millions  of  times  every  day.”6  Although  not 
readily  apparent,  these  attacks  could  affect  the  lives  of  average  Ameri¬ 
can  citizens.  Indeed,  these  types  of  cyber  threats  and  attacks  "go  well 
beyond  military  targets  and  affect  all  aspects  of  [US]  society.  .  .  .  Given 
the  integrated  nature  of  cyberspace,  computer-induced  failures  of 
power  grids,  transportation  networks,  or  financial  systems  could  cause 
massive  physical  damage  and  economic  disruption.”7  The  potential 
negative  impact  on  US  national  interests  as  well  as  the  lives  and  assets 
of  US  citizens  calls  for  government  preparation  and  protection  in  the 
virtual  domain  equal  to  those  in  the  physical  domains. 


November-December  2014 


Air  &  Space  Power  Journal  |  39 


V  Views 


Roesener,  Bottolfson,  S.  Fernandez 


Policy  for  US  Cybersecurity 


Authorities,  Roles,  and  Responsibilities 

The  following  explains  the  current  authorities,  roles,  and  responsi¬ 
bilities  for  securing  and  defending  cyberspace,  examining  those  of  the 
private  sector  and  then  their  relationship  to  US  government  agencies— 
specifically,  the  Department  of  Commerce  (DOC);  DHS;  Department 
of  Justice  (DOJ);  Department  of  Energy  (DOE);  and  DOD,  including 
US  Strategic  Command  (USSTRATCOM),  USCYBERCOM,  USNORTHCOM, 
and  the  National  Security  Agency  (NSA).  Here,  private  sector  refers  to 
any  non-US  government  entity— an  individual,  a  small  company,  or  a 
large  corporation.  Because  data  and  information  with  potential  na¬ 
tional  security  and  vital  economic  interests  reside  on  private-sector 
networks,  they  are  targets  for  cyber  intrusions  in  the  form  of  nation¬ 
state  and  corporate  espionage,  identity  theft,  economic  terrorism,  and 
so  forth.  In  light  of  the  privacy  issues  inherent  in  the  US  government's 
protection  and  defense  of  cyberspace,  few  requirements  are  placed  on 
the  private  sector  for  reporting  cyber  intrusions  or  attacks.  In  Presi¬ 
dential  Policy  Directive  21,  the  Obama  administration  designated  the 
DOC,  in  collaboration  with  the  DHS  and  other  relevant  federal  depart¬ 
ments  and  agencies,  as  the  lead  agency  to  “engage  private  sector,  re¬ 
search,  academic,  and  government  organizations  to  improve  security 
for  technology  and  tools  related  to  cyber-based  systems.”8  The  goal  of 
this  effort  includes  collaboration  to  enhance  protection  and  security 
but  involving  only  engagement  activities.  The  DOC  has  no  authority 
either  to  demand  or  enforce  cybersecurity  standards  in  these  institutions. 

Other  key  private-sector  actors,  such  as  the  defense  industrial  base 
(DIB),  have  access  to  or  oversee  aspects  of  national  interest  and  there¬ 
fore  receive  more  cybersecurity  emphasis.  The  DIB  includes  “the  public 
and  private  organizations  and  corporations  that  support  DoD  through 
the  provision  of  defense  technologies,  weapons  systems,  policy  and 
strategy  development,  and  personnel.”9  In  a  memorandum  to  DOD 
leadership,  the  deputy  secretary  of  defense  noted  that  “cyber  threats  to 
DIB  unclassified  information  systems  represent  an  unacceptable  risk 
of  compromising  DOD  information  and  pose  an  imminent  threat  to  US 
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national  security  and  economic  interest.”10  Consequently,  the  DOD  im¬ 
plemented  a  cybersecurity  and  information  assurance  program  in 
which  “DOD  provides  classified  and  unclassified  cyber  threat  informa¬ 
tion  and  information  assurance  best  practices  to  DIB  companies.”11  The 
DIB  agencies  then  have  a  responsibility  to  “report  cyber  incidents  that 
may  involve  DOD  information  for  analysis,  development  of  coordi¬ 
nated  mitigation  strategies,  and,  when  needed,  cyber  intrusion  damage 
assessments  of  compromised  DOD  information.”12  Unfortunately,  the 
fact  that  this  “responsibility”  is  not  a  requirement  but  voluntary  re¬ 
duces  the  probability  that  the  DIB  actor  will  self-report  because,  once 
labeled  a  security  concern,  it  could  lose  government  contracts,  thereby 
decreasing  revenue. 

In  addition  to  the  DIB,  the  US  government  retains  a  vested  interest 
in  protecting  agencies  that  control  portions  of  the  United  States'  critical 
infrastructure  and  key  resources  (CIKR),  the  former  including  “systems 
and  assets,  whether  physical  or  virtual,  so  vital  that  the  incapacity  or 
destruction  of  such  may  have  a  debilitating  impact  on  the  security, 
economy,  public  health  or  safety,  environment,  or  any  combination  of 
these  matters.”13  US  key  resources  are  “publicly  or  privately  controlled 
resources  essential  to  the  minimal  operations  of  the  economy  and  govern¬ 
ment.”14  To  enhance  cybersecurity  and  awareness,  CIKR  owners  and 
operators  are  encouraged  to  remain  “integrated  both  physically  and  virtu¬ 
ally  into  the  [DHS's  National  Cybersecurity  and  Communications  Inte¬ 
gration  Center  (NCCIC)]  during  steady-state  operations  and  .  .  .  fully 
and  appropriately  integrated  into  cyber  incident  response  capabili¬ 
ties.”15  Again,  because  this  is  the  private  sector,  any  participation  is 
purely  voluntary.  Additionally,  President  Obama  released  an  Executive 
Order  on  Improving  Critical  Infrastructure  Cybersecurity  which  noted 
that  “in  order  to  maximize  the  utility  of  the  cyber  threat  information 
sharing  with  the  private  sector,  the  Secretary  [of  Homeland  Security] 
shall  expand  the  use  of  programs  that  bring  private  sector  subject  matter 
experts  into  Federal  service  on  a  temporary  basis.”16  Thus,  these  experts 
can  “provide  advice  regarding  the  content,  structure,  and  types  of  in¬ 
formation  most  useful  to  critical  infrastructure  owners  and  operators 
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in  reducing  and  mitigating  cyber  risks.”17  Because  neither  partnerships 
nor  strong  relationships  exist  between  the  private  sector  and  the  US 
government  in  this  context,  the  data  and  information  on  their  net¬ 
works  are  vulnerable  to  cyber  attacks  in  the  form  of  intrusion  or  ex¬ 
ploitation.  This  vulnerability  poses  a  great  threat  to  US  national  security. 

In  Homeland  Security  Presidential  Directive  7,  President  George  W. 
Bush  designated  the  DHS  as  the  lead  agency  for  protection  of  critical 
infrastructure,  specifying  that  the  secretary  of  homeland  security  will 
"maintain  an  organization  to  serve  as  a  focal  point  for  the  security  of 
cyberspace.”18  These  roles  and  responsibilities  receive  additional  detail 
and  refinement  in  that  "through  CS&'C  [cybersecurity  and  communica¬ 
tions],  the  Secretary  of  Homeland  Security  is  responsible  for  providing 
crisis  management  and  coordination  in  response  to  Significant  Cyber 
Incidents.”19  Furthermore,  as  the  lead  agency  of  the  NCCIC,  the  DHS  will 

coordinate  with  all  partners,  including  law  enforcement  agencies,  leading 
the  national  effort  to  investigate  and  prosecute  cybercrime;  the  IC  [intel¬ 
ligence  community]  regarding  threats,  intelligence,  and  attribution;  DOD 
elements  regarding  intelligence  and  information  sharing,  military  opera¬ 
tions  to  defend  the  homeland;  State  and  Local  governments;  and  the  pri¬ 
vate  sector  to  ensure  common  operational  situational  awareness  is  being 
leveraged  by  all  response  organizations  as  they  execute  their  individual 
authorities  and  missions.20 

With  Presidential  Policy  Directive  21,  the  Obama  administration 
slightly  modified  these  roles  by  stating  that  the  DHS  retains  responsi¬ 
bility  to  "coordinate  Federal  Government  responses  to  significant  cyber 
or  physical  incidents  affecting  critical  infrastructure.”21  It  is  important 
to  note  that  although  the  DHS  is  charged  with  cybersecurity,  its  pri¬ 
mary  concern  is  the  area  of  crisis-management  response  and  coordina¬ 
tion  with  other  agencies.  In  fact,  the  "DHS  currently  has  very  limited 
statutory  responsibility  for  the  protection  of  federal  information  sys¬ 
tems.”22  The  National  Institute  for  Standards  and  Technology  (NIST),  a 
nonregulatory  federal  agency  within  the  DOC,  has  established  a  cyber¬ 
security  framework  to  help  "critical  infrastructure  owners  and  operators 
reduce  risks  in  industries  such  as  power  generation,  transportation 
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and  telecommunications.”23  Thus,  one  US  department  sets  the  stan¬ 
dards  for  critical  infrastructure  cybersecurity,  and  another  is  tasked 
with  protecting  these  assets  in  the  cyber  domain.  Moreover,  according 
to  Mark  Weatherford,  DHS  undersecretary  of  cybersecurity  for  the 
National  Protection  and  Program  Directorate,  "There's  a  lack  of  true 
cyber  security  talent.  I  mean  the  real  ninja  kind  of  guys  and  gals  that 
you  can  build  your  security  program  around.  ...  I  don't  think  it's  over¬ 
stating  to  say  this  is  a  national  emergency.”24  The  lack  of  proper 
authorities  and  capabilities  prevents  the  DHS  from  adequately  fulfill¬ 
ing  its  defined  responsibilities. 

In  Homeland  Security  Presidential  Directive  7,  President  Bush 
tasked  the  DOJ,  including  the  Federal  Bureau  of  Investigation  (FBI),  to 
"reduce  domestic  terrorist  threats,  and  investigate  and  prosecute  actual 
or  attempted  terrorist  attacks  on,  sabotage  of,  or  disruptions  of  critical 
infrastructure  and  key  resources.”25  Although  these  roles  do  not  specifi¬ 
cally  mention  cyberspace,  those  of  the  attorney  general  were  subse¬ 
quently  refined  to  include  offering  "guidance  on  legal  issues  that  re¬ 
quire  resolution  during  efforts  to  respond  to,  and  recover  from,  a  cyber 
incident;  managing]  any  resulting  criminal  and/ or  domestic  foreign 
intelligence  investigations;  and  sharing]  information  from  those  inves¬ 
tigations  as  permitted  by  law.”26  The  FBI  was  assigned  the  responsibility 
of  serving  as  "the  lead  agency  operating  domestically  to  protect  and 
defend  the  United  States  against  terrorist  and  foreign  intelligence 
threats,  including  those  that  have  a  cyber  nexus."27  Presidential  Policy 
Directive  21  modified  these  roles  so  that  the  FBI  "conducts  domestic 
collection,  analysis,  and  dissemination  of  cyber  threat  information.”28 
Additionally,  the  FBI  operates  the  National  Cyber  Investigative  Joint 
Thsk  Force— the  "focal  point  for  all  government  agencies  to  coordinate, 
integrate,  and  share  information  related  to  all  domestic  cyber  threat 
investigations,  .  .  .  making  the  Internet  safer  by  pursuing  the  terrorists, 
spies,  and  criminals  who  seek  to  exploit  [US]  systems.”29  Some  roles  in¬ 
clude  cyberspace  concerns,  but  the  responsibility  of  the  DOJ  resides 
mainly  with  the  prevention  of  terrorist  activities  in  cyberspace  as  well 
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as  investigating  and  prosecuting  those  who  perpetrate  these  types  of 
activities. 

Cybersecurity  is  a  paramount  concern  for  the  DOE  because  "a  resil¬ 
ient  electric  grid  is  .  .  .  arguably  the  most  complex  and  critical  infra¬ 
structure  that  other  sectors  depend  upon  to  deliver  essential  ser¬ 
vices.''30  According  to  the  NIST,  cybersecurity  "must  be  included  in  all 
phases  of  the  [electric]  system  development  life  cycle,  from  design 
phase  through  implementation,  maintenance,  and  disposition/sun- 
set.”31  The  DOE  supports  cybersecurity  for  the  electric  grid  by  "facilitat¬ 
ing  public-private  partnerships  to  accelerate  cybersecurity  efforts  for 
the  21st  century;  funding  research  and  development  of  advanced  tech¬ 
nology  to  create  a  secure  and  resilient  electricity  infrastructure;  [and] 
supporting  the  development  of  cybersecurity  standards  to  provide  a 
baseline  to  protect  against  known  vulnerabilities.''32  Thus,  the  DOC 
(through  the  NIST)  sets  the  standards  for  cybersecurity  of  critical  infra¬ 
structure;  the  DHS  protects  critical  infrastructure  in  the  cyber  domain; 
and  the  DOE  owns  a  large  portion  of  the  US  government's  critical  in¬ 
frastructure.  This  arrangement  inevitably  produces  inefficiencies  with 
cybersecurity  for  these  assets. 

As  the  principal  agency  responsible  for  homeland  defense,  the  DOD 
maintains  key  roles  and  responsibilities  in  cyberspace.  It  relies  heavily 
on  cyberspace;  in  fact,  the  "DoD  uses  cyberspace  to  enable  its  military, 
intelligence,  and  business  operations,  including  the  movement  of  per¬ 
sonnel  and  material  and  the  command  and  control  of  the  full  spec¬ 
trum  of  military  operations.''33  Consequently,  the  department  is  very 
dependent  upon  its  networks  for  "command  and  control  of .  .  .  [its] 
forces,  the  intelligence  and  logistics  on  which  they  depend,  and  the 
weapons  technologies  we  develop  and  held."34  The  virtual  domain, 
then,  is  not  only  a  key  domain  for  conducting  operations  but  also  a 
key  enabling  domain  for  the  conduct  of  operations  within  the  physical 
domains.  As  such,  the  DOD  has  responsibility  for  the  security  and  pro¬ 
tection  of  its  own  cyberspace  infrastructure.  If  necessary,  though,  it 
can  take  "action  to  deter  or  defend  against  cyber  attacks  that  pose  an 
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imminent  threat  to  national  security.”35  Regarding  this  responsibility, 
as  well  as  the  accompanying  roles  of  the  DHS,  “in  extraordinary  cir¬ 
cumstances,  the  President,  as  Commander  in  Chief,  or  Congress  may 
authorize  military  actions  to  counter  threats  to  the  United  States. 
Therefore,  DOD  may  conduct  missions  as  the  lead  in  defending  the 
United  States.  In  such  circumstances,  DHS,  via  the  NCCIC,  works 
though  its  processes  and  with  its  partners  to  support  DOD  missions.”36 
By  doing  so,  the  DOD  assures  the  security  of  its  networks  and  cyber¬ 
space  infrastructure  and,  when  authorized  by  the  president  or  Con¬ 
gress,  conducts  activities  in  cyberspace  to  defend  the  United  States  and 
its  national  interests. 

Within  the  DOD,  the  secretary  of  defense  tasked  "cyberspace  mission 
responsibilities  to  United  States  Strategic  Command  (USSTRATCOM), 
the  other  Combatant  Commands,  and  the  Military  Departments.”37 
USCYBERCOM,  currently  a  subunified  command  under  USSTRATCOM, 
"plans,  coordinates,  integrates,  synchronizes  and  conducts  activities  to: 
direct  the  operations  and  defense  of  specified  Department  of  Defense 
information  networks  and;  prepare  to,  and  when  directed,  conduct  full 
spectrum  military  cyberspace  operations  in  order  to  enable  actions  in 
all  domains,  ensure  US/Allied  freedom  of  action  in  cyberspace  and 
deny  the  same  to  our  adversaries.”38  Clearly,  for  the  DOD,  USSTRATCOM 
has  the  responsibilities  for  operating  in  cyberspace,  but  the  majority  of 
the  department's  cyberspace  capabilities  reside  with  the  subordinate 
command,  USCYBERCOM. 

Another  DOD  combatant  command  with  a  stake  in  cyberspace  de¬ 
fense  and  security,  USNORTHCOM  plans,  organizes,  and  executes 
homeland  defense  missions.  Specifically,  it  "defends  America's  homeland- 
protecting  our  people,  national  power,  and  freedom  of  action.”39  With 
respect  to  cyberspace,  USNORTHCOM  does  not  have  a  specifically 
defined  mission;  however,  no  specific  domain  is  associated  with  home¬ 
land  defense.  Therefore,  the  currently  defined  roles  appear  to  require 
that  the  command  defend  the  homeland  in  the  cyberspace  domain 
along  with  the  physical  domains. 
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The  director  of  the  NSA,  an  agency  also  involved  in  cyberspace,  is 
dual -hatted  (i.e.,  simultaneously  serves  in  both  positions)  as  the  com¬ 
mander  of  USCYBERCOM.  The  NSA  “leads  the  U.S.  Government  in 
cryptology  that  encompasses  both  Signals  Intelligence  (SIGINT)  and 
Information  Assurance  (IA)  products  and  services,  and  enables  Com¬ 
puter  Network  Operations  (CNO)  in  order  to  gain  a  decisive  advantage 
for  the  Nation  and  our  allies  under  all  circumstances.”40  Although  its  di¬ 
rector  is  in  the  DOD,  the  NSA's  roles  and  responsibilities  go  beyond 
one  department,  supplying  “products  and  services  to  the  Department 
of  Defense,  the  Intelligence  Community,  government  agencies,  indus¬ 
try  partners,  and  select  allies  and  coalition  partners.”41  Cognizance  of 
the  NSA's  information  gives  the  USCYBERCOM  commander  better  un¬ 
derstanding  of  the  cyberspace  environment. 


Recommendations 

Any  detailing  of  the  cyberspace  environment  and  the  roles,  respon¬ 
sibilities,  and  authorities  of  the  private  sector  and  US  government 
agencies  therein  naturally  raises  two  questions.  Are  the  agencies 
charged  with  certain  roles  and  responsibilities  capable  of  performing 
those  tasks?  Are  the  authorities  given  to  the  responsible  agencies  ade¬ 
quate  to  allow  them  to  secure  and  defend  cyberspace  as  required?  We 
contend  that  the  answer  to  both  of  these  questions  is  no.  According  to 
the  2011  Cyberspace  Policy  Review  produced  by  the  Office  of  the  President 
of  the  United  States,  the  US  government  “is  not  organized  to  address  .  .  . 
[the  cyberspace]  problem  effectively  now  or  in  the  future.  Responsibili¬ 
ties  for  cybersecurity  are  distributed  across  a  wide  array  of  federal  de¬ 
partments  and  agencies,  many  with  overlapping  authorities,  and  none 
with  sufficient  decision  authority  to  direct  actions  that  deal  with  often 
conflicting  issues  in  a  consistent  way.”42  If  the  United  States  is  to  ade¬ 
quately  “defend  its  networks,  whether  the  threat  comes  from  terror¬ 
ists,  cybercriminals,  or  states  and  their  proxies,”  then  government 
agencies'  roles,  responsibilities,  and  authorities  within  cyberspace 
need  alteration.43 
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The  first  major  change  involves  the  DIB  as  well  as  CIKR  owners  and 
operators  within  the  private  sector.  The  companies  and  corporations 
that  comprise  the  DIB  and  support  the  DOD  must  incorporate  cyber¬ 
security  measures  that  satisfy  DOD  standards.  This  effort  will  un¬ 
doubtedly  encounter  resistance;  many  will  claim  that  it  involves  an  in¬ 
vasion  of  privacy  or  that  "big  brother”  is  watching  them.  Additionally, 
the  alteration  of  security  standards  and  protocols  entails  inherent  costs 
(in  terms  of  dollars,  time,  resources,  etc.).  The  best  method  to  prevent 
these  concerns  calls  for  requiring  this  level  of  cybersecurity  as  part  of 
awarding  any  new  DOD  contracts  and  the  upgrade  of  any  existing 
ones.  Additionally,  all  new  or  updated  contracts  must  include  report¬ 
ing  of  any  cyberspace  intrusions,  attacks,  or  breaches.  To  facilitate  this 
reporting,  DIB  companies  and  corporations  must  adhere  to  the  cyber¬ 
security  standards  established  by  the  NIST  and  connect  (either  virtu¬ 
ally  or  through  direct  representation)  to  the  NCCIC,  which  then  shares 
relevant  information  with  the  appropriate  agencies  (National  Cyber  In¬ 
vestigative  Joint  Task  Force,  USCYBERCOM,  USNORTHCOM,  etc.). 

Current  laws  preclude  the  US  government  from  levying  a  similar 
contractual  requirement  on  CIKR  owners  and  operators.  Nevertheless, 
the  NIST  established  a  cybersecurity  framework  “for  understanding, 
managing,  and  expressing  cybersecurity  risk.”44  Most  of  the  services 
and  products  provided  by  CIKR  owners  and  operators  are  essential  for 
US  citizens  but  not  contractually  funded  by  the  US  government;  there¬ 
fore,  the  latter  cannot  demand  contractual  arrangements  similar  to 
those  with  DIB  companies  and  corporations.  An  appropriate  method 
for  making  sure  that  many  CIKR  owners  and  operators  adhere  to  the 
same  conditions  placed  on  the  DIB  and  the  standards  established  by 
the  NIST  involves  inclusion  of  contractual  wording  in  any  US  government- 
provided  insurance,  subsidies,  grants,  and  so  forth,  that  they  receive. 

To  qualify  for  government-provided  funds,  CIKR  owners  and  operators 
must  institute  a  prerequisite  level  of  cybersecurity  as  well  as  a 
guarantee  of  reporting  any  cyberspace  intrusions,  attacks,  or  breaches 
to  the  NCCIC.  An  additional  measure  to  persuade  them  to  voluntarily 
participate  involves  providing  them  (at  no  cost)  with  the  DOD-approved 
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cybersecurity  and  information  assurance  software  and  training  with 
the  stipulation  that  any  intrusions,  attacks,  or  breaches  call  for  notifi¬ 
cation  to  the  NCCIC.  Unfortunately,  no  panacea  exists  for  cybersecurity 
within  the  private  sector.  By  modifying  some  requirements,  though, 
the  US  government  improves  security  within  the  DIB,  as  well  as  the 
CIKR  owners  and  operators,  and  enhances  the  requirement  for  report¬ 
ing  cybersecurity  incidents. 

With  respect  to  the  US  government  agencies,  the  president  and/or 
secretary  of  defense  impose  desired  demands  or  restrictions.  The  first 
major  step  in  improving  US  cybersecurity  and  defense  is  to  activate 
USCYBERCOM  as  a  fully  functional  combatant  command  instead  of  a 
subunified  command  under  USSTRATCOM.  Although  no  specific  acti¬ 
vation  date  currently  exists,  preparation  began  several  years  ago.  Cur¬ 
rent  cyber  threats  and  attacks  necessitate  completion  of  this  action  as 
quickly  as  possible.  As  the  agency  with  the  best  understanding  of  cyber 
threats,  USCYBERCOM  should  be  redesignated  as  the  principal  agency 
for  developing  and  implementing  cybersecurity  measures  across  all  US 
government  agencies  (by  authority  of  US  Code  Title  40  )  and  the  previ¬ 
ously  discussed  DIB  and  CIKR  owners/ operators  (by  authority  of  US 
Code  Titles  10  and  32,  respectively).  Unfortunately,  this  step  will  require 
a  simultaneous  reduction  in  the  DHS's  responsibilities,  explained  be¬ 
low.  USCYBERCOM  must  also  work  with  the  services  to  develop  capa¬ 
bilities  and  training  for  the  personnel  who  detect  and  respond  to  at¬ 
tacks  in  the  cyber  domain  (if  the  president  or  secretary  of  defense 
should  authorize  the  response).  Indeed,  USCYBERCOM  is  already 
anticipating  a  massive  manning  influx  of  more  than  900  personnel 
between  2014  and  2016;  active  service  members  are  scheduled  to  fill 
80  percent  of  these  slots,  and  the  rest  by  civilians.45  Further,  USCYBERCOM 
"activated  the  headquarters  for  its  Cyber  National  Mission  Force  .  .  . 

[to]  react  to  a  cyber  attack  on  the  nation.”46  Unfortunately,  establishing 
a  new  combatant  command  that  concentrates  mainly  on  a  specific  do¬ 
main  generates  other  challenges.  For  example,  the  austere  fiscal  envi¬ 
ronment  imposes  tightening  of  the  military  services'  purse  strings, 
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making  the  expenditure  of  funds  on  a  largely  underestimated  and  ill- 
defined  problem  difficult  to  justify. 

The  role  of  the  NSA  in  cybersecurity  also  needs  modification.  Its  ca¬ 
pability  for  determining  the  indications  and  warnings  of  an  impending 
or  ongoing  attack— as  well  as  attributing  attacks  to  individual  actors, 
groups,  or  nation-states— needs  more  utilization  by  the  US  government 
in  cybersecurity.  The  NSA  must  have  connectivity  into  the  NCCIC  to 
facilitate  the  sharing  of  intelligence  and  information  across  the  cyber 
domain.  Additionally,  since  the  agency's  director  is  also  the  USCYBERCOM 
commander,  the  two  entities  can  codevelop  the  previously  mentioned 
cybersecurity  standards  and  measures,  thereby  enabling  a  better  product. 
Unfortunately,  this  dual-hatting  of  a  single  commander  with  both  US 
Code  Title  10  and  Title  50  authorities  remains  a  tenuous  proposition 
for  many  members  of  Congress.  Rectification  of  this  contentious  issue 
is  essential  if  a  unified  combatant  command  should  come  into  existence. 

Although  USNORTHCOM  is  the  combatant  command  specifically 
charged  with  homeland  defense,  a  partnership  between  it  and 
USCYBERCOM  for  defense  in  the  cyber  domain  must  be  codified.  A  simi¬ 
lar  partnership  exists  between  USNORTHCOM  and  USSTRATCOM  in  the 
space  domain.  USCYBERCOM  retains  the  capabilities  and  should  have 
the  authorities  for  cybersecurity  and  defense,  but  it  cannot  determine 
if  a  cyber  attack  is  a  precursor  to  or  a  portion  of  a  larger  attack.  To 
remedy  this  deficiency,  USNORTHCOM  requires  full  integration  into 
the  NCCIC  to  guarantee  availability  of  a  detailed  description  of  the 
homeland  defense  environment  across  all  domains— air,  land,  mari¬ 
time,  space  (with  USSTRATCOM),  and  cyberspace.  The  understanding 
of  threats  in  all  domains  enables  the  USNORTHCOM  commander  to 
give  the  president  and/ or  the  secretary  of  defense  an  assessment  of 
current  or  expected  attacks  against  the  homeland. 

The  DHS's  role  also  demands  redefinition.  Although  currently  the 
lead  agency  for  cybersecurity,  the  department  cannot  perform  this 
role.  Even  though  the  DHS  should  retain  responsibility  for  securing 
critical  infrastructure  in  the  physical  domain,  the  president  should 


November-December  2014 


Air  &  Space  Power  Journal  |  49 


V  Views 


Roesener,  Bottolfson,  S.  Fernandez 


Policy  for  US  Cybersecurity 


redefine  its  cybersecurity  role  to  include  coordination  of  cybersecurity 
intelligence  and  the  consequence-management  portion  for  effects  after 
a  cyber  attack  that  results  in  physical  damage.  For  the  crisis-management 
response,  the  DHS’s  Federal  Emergency  Management  Agency  remains 
the  lead  organization.  The  DHS's  NCCIC  should  continue  to  function 
in  its  current  capacity;  however,  USCYBERCOM  must  have  co-ownership 
or  co-oversight  of  this  center.  Because  USCYBERCOM  maintains  more 
cybersecurity  and  cyber  defense  capabilities,  its  additional  involve¬ 
ment  enhances  the  NCCIC's  capabilities.  Furthermore,  dual  oversight 
by  the  DHS  (by  authority  of  US  Code  Title  6)  and  the  DOD  (by  authority 
of  US  Code  Title  10)  prevents  reliance  on  a  single  agency  for  cyber¬ 
security.  Finally,  USCYBERCOM's  increased  engagement  in  the  NCCIC 
improves  the  DOD's  situational  awareness  within  the  cyberspace 
domain. 

The  DOJ  should  keep  its  focus  on  cyber  terrorism  and  implement 
only  minor  alterations  to  its  roles  and  responsibilities.  The  FBI  should 
continue  as  the  lead  agency  that  operates  domestically  to  protect  and 
defend  the  US  cyber  domain  against  terrorist  attacks  as  well  as  main¬ 
tain  the  National  Cyber  Investigative  Joint  Task  Force.  USCYBERCOM, 
however,  must  have  responsibility  for  defending  against  cyber  threats 
emanating  from  a  state-sponsored  foreign  intelligence  agency.  Attacks 
and  intrusions  from  these  actors  require  proper  analysis  to  determine 
if  they  are  part  of  a  larger  attack  on  the  US  homeland.  Note  that  none 
of  these  proposed  changes  affects  or  reduces  the  investigative  authori¬ 
ties  and  roles  of  the  FBI,  which  should  remain  the  lead  federal  agency 
for  conducting  law-enforcement  activities. 


Conclusion 

The  future  of  US  cybersecurity,  cyber  defense,  and  cyber  response  is 
not  clear.  However,  policies  that  currently  define  authorities,  roles, 
and  responsibilities  do  not  adequately  address  the  ever-increasing 
threat  in  the  cyberspace  domain.  With  some  dramatic  changes  within 
the  authorities  and  responsibilities,  the  US  government  could  drastically 
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improve  its  ability  to  protect  US  citizens  from  cyber  threats.  Specifi¬ 
cally,  the  companies  and  corporations  that  comprise  the  DIB  and  sup¬ 
port  the  DOD  must  incorporate  cybersecurity  measures  that  satisfy 
DOD  standards.  USCYBERCOM  should  be  designated  a  functional  com¬ 
batant  command,  share  control  and  oversight  of  the  NCCIC  with  the 
DHS,  and  be  tasked  with  responsibilities  in  the  cybersecurity,  cyber 
defense,  and  cyber-response  realms  by  authority  of  US  Code  Title  10 
and  32.  USNORTHCOM  requires  integration  with  USCYBERCOM 
through  the  NCCIC;  as  a  combatant  command  charged  with  homeland 
defense,  USNORTHCOM  must  examine  a  broader  range  of  threats 
(across  the  physical  and  virtual  domains)  to  determine  if  a  cyber  attack 
is  part  of  an  overall  larger  attack  by  a  nation-state.  The  DHS  should  re¬ 
tain  responsibility  for  securing  critical  infrastructure  in  the  physical 
domain.  The  DHS's  cybersecurity  role  should  be  reduced  to  include 
only  the  consequence-management  portion  (by  the  Federal  Emer¬ 
gency  Management  Agency)  for  effects  after  a  cyber  attack  that  results 
in  physical  damage.  Incorporation  of  these  recommendations  will  en¬ 
hance  the  mitigation  of  these  types  of  challenges  and  concerns.  © 
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